In Ticket #10237Denis De Bernardy suggested to implement the new Mozilla feature to prevent XSS. That was about 11 month ago. The ticket got my attention as well those days but I could not give it the thoughtfulness it desired. My first-approach-patch was rated as too restrictive (hey I like it strict :) ).

CSP WordPress Plugin Image-Gallery

What is CSP?

CSP is a HTTP-header based notation with rules that should command a browser to load or not load linked resources like image srcs, javascript files and all that stuff that can be used in XSS attacks. Hypertext comes with no restrictions by default and CSP is adding constraints for a more fine-grained control. It does only work if the browser supports it as well but if so, you can add an additional security layer for your site’s users.

Testdriving the CSP Plugin

Installing the plugin is as easy as with mostly any other wordpress plugin. Just click on Plugins -> Add New in your backend and search for Content Security Policy or CSP in short. You should find the Content Security Policy plugin in the result-list. Just press the Install link at the end of the entry and confirm by pressing Install Now in the upcoming dialog. After download and install, just activate it.

When you have done that successful you’ll find a new admin-page under Settings -> CSP. Note: You need to have javascript enabled to use this plugin. To give you an easy start (and without the need to hassle with configuring headers in “text mode”), this plugin comes with an interactive policy editor. That is why you need to have javascript enabled.

Suggest a Policy

For the start, just press the Suggest Policy button. After some ajax activity, the Trusted Sites is filled with a default policy. When I saw that right it will analyse your posts and comments for that (at least for post no. 1) and offer a suggestion then. In my scenario that was images for everyone and script and styles limited to the local address. Just if you wonder, the blog is running on an IP address. That’s the one starting with 192.168… in the screenshots.

Those default suggestion was pleasing me (this is a very simple test-blog, I do not need any external scripts or CSS files) for the moment. To confirm the policy, just press the Save Changes button.

Fine grained Settings

But wait! I do not want to allow linked images. That will transfer users referer information to other servers and I’d like to add some privacy here (sort of misuse of CSP, but let’s take this as an example for the moment). This can be done by either clicking on the Everyone below Images which will strike-through it and the Save Changes button appears again. Pressing it will save the changes. After saving, it will remove that Everyone entry.

And now? What happened to images? In CSP there is a fallback to the main setting then. Click on Show Advanced to make the concrete setting visible. That is what has been generated by the plugins UI so far:

Note: Do not forget to press the Enable CSP checkbox, otherwise this won’t be activated.

Note 2: Sometimes saving changes does not work with the plugin. Just counter-check by re-opening the admin-page via the menu and save again.

Summary

CSP is something very useful for your users. While it might not be supported by all your users browsers as of today, you as webmistress or -master should take care here and be one of the early adopters. The web is constantly evolving and security is a process everyone should take it’s part in.

This CSP Plugin is quite new but already useful even though it still has some flaws in it’s usability. In the end it does the job and is a nice way to learn about CSP.

hakre on wordpress

Hakre's devlog, thoughts and rants on wordpress on wordpress.com. And webdesign related. And web development related. My weapons of choice are Netscape 2.01, HTML, CSS, PHP and the Gif Construction Kit.

Issue 2.1 is out! (; as print version so far, not yet on the website.) Take a look at conferences and events to get as well all back issues of Libre Graphics magazine with a discount or just order online.

Hey! Good news from the team of organizers. We found a lot of sponsors (still looking for new sponsors), and more than 60 participants already registered for the PHP Unconference Majorca. It's time to make plans for friday and saturday eve (2015, 8th + 9th of May). Do you have any ideas what we should offer as an evening program for the saturday evenin […]

The ElePHPant is dreaming from Majorca. And he couldn't wait for May, so he started right now his travel to the #PHPucEU. Supporters on his travel through Europe are: Judith Andresen, Germany Ulf Wendel, Germany Chris Armitage, UK Please show your support by tweeting photos and the Hashtags #ElePHPantOnTour #PHPucEU! // […]

hakre on wordpress

Hakre's devlog, thoughts and rants on wordpress on wordpress.com. And webdesign related. And web development related. My weapons of choice are Netscape 2.01, HTML, CSS, PHP and the Gif Construction Kit.